LASCON 2013 has ended
View analytic
Thursday, October 24 • 11:00am - 11:45am
No More Monkey Business: Quality Assurance in Penetration Testing

Sign up or log in to save this to your schedule and see who's attending!

Security audits, whether internal or customer-driven, are becoming more common and more frequent for software development programs. In many cases audit activities such as risk assessments, security scanning and penetration testing are required for program certification and accreditation. Going through a security audit can be a challenging situation filled with misunderstanding and frustration that can put a software program under considerable stress. This fact is exacerbated by some alarming trends being notice in the degradation of quality in security testing, and the lack of quality assurance governing such testing activities. 

With this increase in security audit activity, the security testing field has exploded with new practitioners in a discipline that was previously held almost exclusively by elite technical experts. This rapid growth is likely a contributing factor in declining quality as well as a plethora of rubber stamping certifications, poor training, and industry ignorance. Over the past two years, my team has assisted several large software development programs in preparing for and accommodating extensive security audits. We have noticed and collected evidence pointing to a problem in quality of security testing activities and results. These issues are costing engineering teams significant dollars to deal with the false positives, unjustified severities and overreaching scopes of poor quality audits. Many real-world examples of poor quality penetration testing results are presented in this talk in order to help describe and identify the problem. 

The purpose of this talk is not to point fingers or stroke our own egos by implying that we are better than those whose mistakes are highlighted. Instead it is a call to quality assurance in the relatively new field of security auditing and penetration testing. Penetration testing is widely considered to be an art form or black magic by many in the software engineering world. And there is truth to the fact that, similar to a home inspection, two testers will not produce the exact same list of findings. However, our findings point to an overall degradation in the skill and knowledge of penetration testers that can, if not corrected, turn pen-testing from a so-called black art into a quackery selling “snake-oil”. 

This presentation concludes with guidance for security practitioners in improving their security testing knowledge and skills taking personal responsibility for maintaining the highest standards of excellence. We suggest assurance methods based on sound engineering principle that should be implemented by security assessment teams. We also encourage those interested in or new to the field to base their careers on proven methods, quality certifications and most of all a passion for bettering the industry.

avatar for Aaron Estes

Aaron Estes

Chief Software Security Architect, Lockheed Martin Corporation
Aaron Estes is a software security consultant, engineer and professor who has worked with the nations top defense contractors, financial institutions, and electronics and entertainment conglomerates to assess security risk and solve some of the most critical security concerns of todays... Read More →

Thursday October 24, 2013 11:00am - 11:45am
HackersForCharity.org Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

Attendees (0)